If you track cybersecurity headlines, it looks like the global battle against DDoS has entered a quiet period. The massive, record-breaking multi-terabit attacks that regularly made the front pages last year seem to have vanished.
Much of this silence follows a major international law enforcement operation, coordinated with Europol and the U.S. Department of Justice. The action successfully dismantled the command-and-control (C2) infrastructure of some of the largest botnets in history, including Kimwolf and associated networks like Aisuru, leading to operator arrests.
However, if you operate a network, manage a transit edge, or monitor daily traffic telemetry, you know that the underlying problem of DDoS just keeps growing. So what is actually happening?
In this article, we’re looking into the current reality of residential DDoS botnets, drawing on research by Nokia Deepfield and the Comcast Threat Research Lab recently presented at NANOG 97 by Craig Labovitz, reporting from Infoblox and threat intel by Bitsight, combined with our own insights and operator anecdotes from the field.
From monolithic botnets to smaller, fragmented operators
When law enforcement knocked out Kimwolf’s core command servers, they cut off the centralised head, but the underlying mechanism remained completely active on millions of endpoints.
As the Nokia and Comcast teams highlighted, attackers discovered a powerful weakness in parts of the residential proxy ecosystem. Rather than scanning the internet for vulnerable devices, they could abuse the proxy infrastructure itself to reach exposed Android Debug Bridge (ADB) services on participating endpoints. This allowed residential proxy access to become both the distribution channel and the attack surface, accelerating the growth of compromised device populations.
Today, instead of a single, massive botnet controlling millions of nodes under a unified command, the ecosystem has broken apart:
- The Fragmented Market: Roughly two dozen smaller, independent botnet operations are now actively competing for the same pool of infected, unpatched residential devices (smart TVs, low-cost streaming boxes, and home IoT setups).
- The Supply Chain Shift: Bitsight’s latest threat research highlights that despite massive operations taking down proxy providers like IPIDEA earlier this year, the underlying malware supply chains (such as Badbox and Vo1d) instantly adapted, routing their hijacked device pools to competing commercial brokers within weeks.
- Explosive Growth: Because these devices stay vulnerable despite a central C2 server being seized, new threat actors simply spin up fresh infrastructure and hijack the existing endpoints.
- The Scale: The joint Nokia/Comcast data indicates residential proxy ecosystems growing roughly from 1 million to 8–9 million active nodes per day over the past year.
The threat has transitioned from a few massive, coordinated waves into a continuous, aggressive baseline of malicious activity distributed across consumer networks worldwide.
The perfect storm: AI capital and gigabit uploads
The perfect storm: AI capital and gigabit uploads
Not every residential proxy service relies on malware, and not every infected device participates in DDoS activity. However, research consistently shows significant overlap between commercial residential proxy networks and malware-operated infrastructure.
The question is why this footprint continues to expand so rapidly. The answer lies in a combination of market economics and modern telecom infrastructure:
1. The multi-billion-dollar AI scraping engine
The rapid growth of AI systems has significantly increased demand for large-scale web data collection. In some cases, scraping pipelines use residential proxy networks to reduce blocking, balance geographic distribution, or access content that is difficult to retrieve at scale from datacenter infrastructure. As a result, residential IP space has become a highly valued commodity in the data acquisition ecosystem.
The Infoblox research shows that residential proxy infrastructure is also visible across enterprise environments. Over 65% of their customers generated DNS queries to domains associated with residential proxy networks in 2026, reflecting both direct usage and broader exposure within monitored networks.
Across their customer base, DNS queries to residential proxy–related domains increased from roughly 400 billion per month in 2025 to over 500 billion per month in 2026. Infoblox attributes part of this growth to increased demand for large-scale data collection, including AI-related scraping activity, alongside continued use of proxyware and residential proxy services embedded in consumer and enterprise environments.
2. The symmetry windfall
The telecom industry’s aggressive push to deploy symmetric gigabit and multi-gigabit home fibre connectivity has inadvertently handed these botnets massive upstream pipelines. Network planners historically assumed home users would rarely saturate their upload bandwidth. A compromised proxy node launching an outbound UDP flood is one of the few applications that will happily consume every single megabit of available upstream capacity.
The Reality: Residential proxy infrastructure now rivals the world’s largest transit and content networks in aggregate upstream capacity. It is no longer a niche nuisance, but a permanent piece of internet infrastructure.
Shifting the focus: The outbound network crisis
DDoS defence has traditionally focused on the inbound vector - protecting your own data centre or downstream enterprise customers from being knocked offline.
But as residential networks are weaponised from the inside out, network operators face severe, self-inflicted operational crises caused entirely by outbound DDoS traffic.
For an ISP, this creates an unprecedented internal strain:
- State Table Exhaustion: High-volume outbound UDP carpet-bombing floods quickly exhaust the state tables of your own Broadband Network Gateways (BNGs) and carrier-grade NAT (CGNAT) systems, degrading service for innocent users.
- Transit Cost Explosions: Your expensive, legitimate transit links get choked by outbound garbage traffic, driving up your commit costs.
- IP Reputation Destruction: Your Autonomous System (AS) IP ranges end up flagged on global blocklists, causing immediate authentication failures and CAPTCHA nightmares for your legitimate subscribers.
Practical traffic hygiene
We aren’t going to see a permanent manufacturing fix for insecure home IoT devices anytime soon. Protecting your routing table right now comes down to practical, proactive network hygiene.
By tracking outbound telemetry and dropping botnet traffic right at your own border routers, you starve the botnet of its upstream pipes while protecting your own infrastructure.
This is exactly where FastNetMon can help. While historically deployed to detect inbound volumetric spikes, our engine tracks telemetry counters for both incoming and outgoing traffic directions completely independently.
By analysing NetFlow, sFlow, or IPFIX records straight from your edge or border routers, FastNetMon establishes baseline metrics for regular subscriber uploads. If a cluster of compromised residential endpoints triggers a synchronized outbound attack, the system detects the anomaly based on your configured packets-per-second (PPS) or bandwidth thresholds.
From there, it can automatically apply mitigation policies, such as pushing BGP Flow Spec or Remote-Triggered Blackholing (RTBH), directly to your network hardware. The infected devices stay infected for now, but they are instantly starved of their ability to harm the wider internet or your bottom line.
A shared operational responsibility
When a global takedown knocks out a major command server, the underlying industry does not vanish, unfortunately. We saw this earlier this year when U.S. proxy infrastructure was disrupted: the traffic didn't die; it simply migrated to Latin America, with Brazil quickly filling the gap.
Dealing with residential proxies is a fast-moving, highly adaptable industry-wide problem. Treating outbound security as a shared operational responsibility is no longer optional. By deploying automated telemetry monitoring at your border, you protect your own transit costs and BNG state tables, while actively helping to clean up the global internet routing table.
